db-derby-dev mailing list archives

Hi Francois,
thanks for your reply. Please (also) see my reply to Dan.
Francois Orsini <francois.orsini@gmail.com> writes:
> Not sure I understand this completely - What do you mean by "Thus, an
> invalid user is allowed to change the database state"? if the database is
I meant the boot state, which may be significant for a dba.
> booted and left opened, it still requires users to authenticate to get a
> valid connection to it, _if_ derby.connection.requireAuthentication was set
> to true. The database can stay open as it is required to be online so that
> user authentication works...Yes, we could shut it down again if it was not
> being booted before *but* then one also has to handle the possibility of
> concurrent user authentication requests and if the first one requiring the
> db to be booted in the first place, should we shut it down then? I mean yes
> we could do and try such a thing but it's not like the database data are
> being made available since no invalid user will be able to authenticate
> anyway...This is *not* a denial-of-service attack - Again, the db data is
> not made available to invalid user(s)...
Dag